Long-term benefits of on server matching outweigh the risk
What's the big deal?
There is a position held by some in the digital security community that performing biometric matching on a server is unsafe. The notion is that to do so requires the creation and storage of a database in a centralized location of many different individuals' biometric information. Further, that this centralized database of identity information creates an irresistible target for would be fraudsters, and upon their inevitable compromise of the data, the losses will be catastrophic.
This group of individuals advocates for what is known as "on device" matching i.e. the use of biometrics is for verification purposes, the user's biometric data is stored on their own device, and subsequently they provide another biometric sample to check against that single, on device enrollment, the perfect example is Apple's Touch ID being used to access a PayPal account. The claim is that on device matching is inherently safer than on server matching, because there is no centralized database of identity information for criminals to pilfer.
That all makes rational sense, but as I discussed in last week's post On Device vs. On Server - Whose Risk is Lower? the reality of identity theft trends seem to indicate opportunity costs are leading hackers to target individuals, not purely enterprise databases. That is not to say that hackers aren't attacking large stacks of enterprise data, quite the opposite in fact, the news is replete with the latest major database hacks. The point is that the net gain to the hacker seems to be greater when they target a specific individual (and their devices) versus a trove of data, because the data they "liberate" directly from the user is often more immediately useful. Furthermore, these major hacks, while sensationalized by the media, aren't resulting in the devastating effects they're being prophesied to.
According to a recent eWeek report by Robert Lemos, "Huge Data Breach Losses Aren't Forcing Companies to Bolster Security", huge data breaches aren't, well...forcing companies to bolster security. That beg's the question, why not? Because the losses are insignificant relative to the cost of implementing better security and/or no longer housing the data. Yet again the question is begged, why aren't the costs significant enough? Because, what the hackers steal often is useless, without significant further effort, effort that ultimately results in them targeting a specific user, so why not just start there?
To take the media at their word on these breaches (and the pro on device caucus), the losses should be astronomical, Old Testament style garment rending, weeping in the streets, wailing, gnashing of teeth, etc, etc..style losses, but nope...business as usual. Case in point the U.S. Office of Personnel Management hack. In fact the biggest identifiable cost for OPM is credit monitoring that experts say is pointless, because the hack was not really about stealing identities.
I should also point out here the OPM hack, was a hack of a government database (as have been most of the large hacks involving biometrics). Governments typically store an actual copy of the fingerprint in WSQ format, while enterprises typically only keep a non-reverse engineerable template usable only in their proprietary system. The breach of a government should then be far worse than the breach of an enterprise.
Generally speaking, the biggest costs associated with these now infamous data breaches are government imposed liability (particularly the UK) and the cost of defense in the inevitable subsequent class actions by users, themselves having trouble naming a concrete damage beyond "pain and suffering due to anxiety".
Again, I'm not saying there isn't some actual damage (real, financial loss to the compromised user), there is, and that we should be lackadaisical about data security, it most definitely needs to improve. I'm simply pointing out that server breaches are not anywhere near the killer they're painted to be. I believe that centralized storage of data (securely), including biometric data, leads to efficiencies (and better security than on device in fact) that facilitate activities that outweigh the risks.
What's in it for us?
The data being housed on servers and on devices is about one thing: facilitating transactions. We're all looking for ways to maximize our knowledge in the shortest possible time so we can take the best actions, that are going to provide us the maximum benefit....better transactions, by more users, faster; that is, we're seeking efficient transactions. A major component of this is the need to be sure the parties engaged in the transaction are the right ones and that the data being exchanged belongs to or is appropriately associated with them; we want secure transactions, more specifically, authentic transaction.
This is a good time to point out that when I say transactions I don't necessarily mean the movement of currency, I mean the exchange of some form of data, which could be representative of a service, information, or actually dollars.
So we want data, including biometric data, to achieve efficient transactions, consisting of three elements: 1. Quality 2. Volume 3. Speed. Authenticity lives in the Quality element and most of the time it doesn't play nice with elements 2 and 3, they exist in an inverse relationship. You can't be sure your transaction contains quality data unless you know the right people are involved and that they're providing the right data, so you have to make them do stuff to prove it, that inevitably means fewer people can participate, and participation occurs at a slower rate. Reducing the friction between Quality and Speed/ Volume is where the frontier of data security is.
How do we maximize our efficiency?
Everyone is generally in consensus around this idea: we (the security industry) need to provide authentication mechanisms that are easy to use, but are stronger than they are now, more authentic. We also seem to agree passwords suck, and biometrics modalities are largely the answer, but I don't think that's actually true.
I think there's a contingent in the security industry that just won't let a particularly technology die, cryptographic authentication more specifically, public key cryptography (PKI). They think biometrics are nothing more than a user friendly mask for PKI based authentication.
Per Carlisle Adams and Steve Lloyd in Understanding PKI, PKI is a cryptographic technique that enables entities to securely communicate on an insecure public network, and reliably verify the identity of an entity via digital signatures. In other words PKI can serve two purposes 1. ensuring data is transmitted securely; and, 2. user authentication.
Now don't get me wrong, I'm a huge fan of encryption, data should be sent encrypted and should be stored encrypted, but PKI has and remains a clunky way to authenticate users. That clunkiness is why it never caught on with the mainstream, and why employees in large enterprises often simply refused to use it.
If you look closer at this on device versus on server debate, you'll find the loudest voices for the on device crowd cut their teeth (and made a fair amount of money) working with PKI, it's what they know, and they're sold out to it. They advocate (and lobby) for nothing more than a modified PKI system. In a nutshell, just about every iteration currently proposed of on device biometric matching (when being used to authenticate the user to a third party, not just for device access) consist of a biometric match to release the use of the user's private key. The key is then used to perform authentication in generally the same way as a traditional PKI system.
Yea!, you mean I don't have to keep track of my private key and "sign" anything myself, it's all done automagically? This should work great, right? Wrong, because, just like PKI has always been, it's not scalable. What happens when you lose your device, swap it, or add another one? How do you let that third party service you've been authenticating to via on device biometrics know it's still you talking to them through this new device? Wait for it.....that's right....your good ole' username and password. Wait a sec, I thought we hated passwords and were getting rid of them? Well, not if you want use on device biometrics you're not, unless of course you plan on moving the private key from one device to another and/or copying it, both of which are you huge crypto no nos. Oh yeah, there's the dongle approach you can carry around yet another piece of hardware that holds your private key and biometric template separate from your pc or phone. Sure there's a standardization of architecture and pluggability of authenticators in this system that makes things appear simpler, but in the end, the only way a user can prove they're allowed in, is with private key or a password. As we all know, a system is only as strong as it's weakest link.
The on device approach to biometric authentication is at best treating biometrics as window dressing for user convenience, at worse, it's masking the security and scalability nightmare we're currently facing with password based authentication. Never mind that the biometric template in this architecture isn't itself that securely stored. Never mind the fact that the biometric template and your private key likely live on a piece of hardware that is notoriously physically insecure: millions of mobile devices are lost every year.
On server matching relies on the storage of a user's biometric template on a server that is separate from the device used to collect the biometric. There's two ways to do this, 1. on the server of the party requesting the identity e.g. on a bank's server, on which the bank would manage their user's biometric data, or 2. on a third party identity as a service (IDaaS) provider's' servers, this could be referred to as the cloud. The major advantage here, is you can truly eliminate passwords.
Just like any authentication regime, on server matching can be done poorly or it can be done well. End points must be secure, databases must be encrypted, servers and clients must be attested, network communication must be encrypted, the physical location of the server must be secure, the server must be redundant logically and physically, load must be balanced properly etc...Much if not all of these requirements remain true for a system that uses on device matching too, but you can't ensure logical security and physical security of data on a mobile device to the same degree as on a server; it's out of the hands of experts, and in the untrained hands of the people the technology is supposed to protect.
What is more, efficiency gains from on server matching lead to only needing your finger, face, voice etc.. to pay, for fast identification of incapacitated victims, global secure logical access to your personal/work data from any device, global secure physical access. It's what we all claim we're after: frictionless authentication. Imagine you lose your phone and wallet in a foreign country, but you can still access your bank account, obtain money and buy dinner all with your face and voice, or your loved one is in an auto accident, they have a medicine allergy to commonly used pain killers and they're incapacitated, the EMT can quickly ID them with their fingerprint and see the victims Tier 1 medical info and provide treatment that doesn't threaten to injure them further. The use cases made possible by on server biometric authentication are endless...and very lucrative.
The point is, if you really care about keeping the user safe, you don't tell them to put their most valuable possessions under their mattress, you tell them to put them in a safe deposit box. If you really care about efficiency you don't implement a process with fifteen steps, when four will do. If your solution is really the best way, you don't tell people you're eliminating passwords, when you're not. If it's really the way we should go, you don't engage in straw man argument like "proposed regulations favor on device matching" when you've lobbied to create those regs; instead, you point to hard data that says your way is safer. If you really care about helping enterprises make more money in a digital world, you show them the massive leap forward they can make with biometric identity in the cloud.